Top Stories of 2025

Jump ahead to topic:

• Tariffs 
• FCPA & other corporate enforcement changes
• AI
• Compliance & mental health
• Corporate Transparency Act
• DEI
• ESG & climate change
• DOJ data security program
• Federal workforce job cuts
• UK Serious Fraud Office self-reporting incentives

Tariffs spark massive economic instability and shake up risk landscape

The Trump Administration’s sweeping tariffs, which Thad McBride of law firm Bass, Berry & Sims called the word of the year, reshaped the entire corporate landscape in 2025, creating ripples that extended far beyond the loading dock into boardrooms, accounting departments and risk management frameworks. 

Tariffs imposed this year amounted to an average tax increase of $1,200 per US household, while federal tariff revenue surged to $195 billion in fiscal year 2025, more than 250% of what was collected in 2024. But the national financial impact told only part of the story. 

Companies scrambled to adapt their supply chains, with legal and compliance teams thrust into unfamiliar territory as they worked alongside CFOs and logistics officers to assess exposure, evaluate sourcing alternatives and navigate unprecedented disclosure challenges. The wild swings in tariff rates created havoc for importers ordering products months in advance, transforming what once seemed like straightforward trade compliance into a minefield of financial reporting complexities.

The enforcement environment grew teeth fast. The DOJ reorganized offices to prioritize criminal prosecutions of trade and customs fraud, deploying prosecutors who traditionally focused on financial fraud to go after tariff evasion and “transshipment” schemes. Companies that played fast and loose with country-of-origin designations or tariff classifications faced not just civil penalties but criminal exposure under the False Claims Act and even general wire fraud statutes carrying up to 20 years in prison. 

The stakes grew as compliance obligations expanded beyond simply paying duties to supply chain transparency, due diligence and the real risk of being pilloried by a government eager to demonstrate enforcement priorities.

Meanwhile, boards rewired their oversight to treat geopolitical volatility as a permanent feature rather than a passing phase. Leading boards embedded geostrategy into full board discussions and ongoing education programs, recognizing that the era of taking open global trade for granted had definitively ended. Directors pushed management teams beyond war room tactics to incorporate longer-term perspectives, asking hard questions about which assumptions underpinning corporate strategy could be undermined by shifting trade policies. 

The compliance function found itself at the center of these strategic conversations, uniquely positioned to translate tariff pressures into actionable intelligence about supply chain vulnerabilities, financial reporting obligations and the expanding universe of enforcement risk.

Both the substance and style of the tariffs had an impact, observers said.

“Companies that are trying to comply with shifting, often contradictory and fully unpredictable new requirements for their business have struggled to understand how to comply,” Ice Miller partner Meghann Supino told CCI in a written Q&A. “Even professional trade advisers and the regulators implementing the new rules have been struggling to keep up with the shifts, interpreting new policies based on social media posts and policy statements ahead of official publications in the Federal Register.”

An expected Supreme Court decision in Learning Resources v. Trump, potentially during the first half of next year, could further shake the landscape if the court determines tariffs issued under the International Emergency Economic Powers Act (IEEPA) are unconstitutional, Charles Baldwin of Brooks Pierce told CCI in December.

“What will the practical consequences be of that ruling,” Baldwin posed in a written Q&A with CCI. “Will the court uphold the tariffs? If not, will the Trump Administration seek other justifications for the tariffs? Will tariffs collected unlawfully be refunded? Will new tariffs be imposed? The issues are expected to play out well into 2026.”

In the meantime, more enforcement action around tariffs is expected, Cody Herche, a senior DOJ counsel, told a group of anti-corruption lawyers at ACI’s 2025 FCPA conference. 

Regardless of what happens in the courts, the destabilizing effects of tariffs are likely to persist in 2026, experts told CCI.

“Expect more volatility, not less. Tariffs are now a policy tool of first resort — politically, economically and diplomatically,” Pete Mento, director of global trade advisory services at consultancy Baker Tilly, told CCI in a written Q&A. “We’re going to see more investigations, more emergency actions, more reciprocal tariffs and more legal challenges. 

Supino suggests weekly check-ins to ensure that current tariff strategies remain compliant as policies shift regularly, while Mento has a similar idea: “Compliance teams win in volatile tariff environments by staying sharp, organized and just a little bit paranoid.”

BACK TO TOP

FCPA & other corporate enforcement changes

The rollercoaster of FCPA enforcement under the Trump Administration left compliance professionals dizzy, beginning with a February executive order initiating a 180-day pause on enforcement, followed by the DOJ’s dismissal of cases against tech executives, the departure of the SEC’s top anti-bribery officials, and then — just four months into the pause — an abrupt restart of enforcement with a dramatically different focus. 

A June memo from Deputy Attorney General Todd Blanche made clear that FCPA enforcement would no longer prioritize promoting democracy overseas but would instead target conduct that “harms US national interests,” whether by depriving American companies of fair competition, threatening national security infrastructure or facilitating cartels and transnational criminal organizations. The shift represents a historic pivot for the landmark anti-corruption law, with legal historian Severin Wirz noting it’s the first time in decades a major US policy document has conspicuously neglected to mention democracy promotion.

The new approach has left compliance teams recalibrating risk assessments while experts universally counseled against dismantling programs or assuming bribery is suddenly legal. As Baker Donelson’s Sean O’Connell told CCI after the pause: “Biggest mistake: Thinking ‘reduced enforcement’ means ‘reduced investment.’ It doesn’t. It means more focused enforcement. And you better hope the focus isn’t on you.” 

After the FCPA pause was announced, other jurisdictions sought to remind the world that they, too, can prosecute bribery. The UK, France and Switzerland, for example, announced formation of an international task force to combat corruption, while California’s attorney general warned that FCPA violations can also be prosecuted in the state. Near the end of 2025, though, the fruits of these efforts remain to be seen.

“There are rumblings from some states, most notably California, that they may try to fill the breach and more aggressively prosecute bribery and corruption in violation of state law,” Thad McBride of law firm Bass, Berry & Sims told CCI in a written Q&A. “Several countries in Europe have likewise pledged to strengthen their own anti-bribery and anti-corruption enforcement efforts. At the moment, all this appears to be a drop in the bucket — and perhaps a leaky bucket at that.”

The shifted federal focus is particularly complex for companies operating in Latin America, where the Trump Administration’s designation of cartels as foreign terrorist organizations has created unprecedented risks, as experts noted, distinguishing where a cartel ends and a business begins in many locations is often not abundantly clear, forcing companies to navigate potential material support violations reminiscent of the Lafarge case in Syria. The requirement that all new FCPA investigations receive personal approval from the assistant attorney general suggests fewer cases will be opened but those that are will be more serious, faster-moving and politically salient, with companies facing sharper scrutiny and more public visibility.

The new enforcement reality means the risk map has fundamentally changed; the most dangerous geography is no longer simply “where corruption is common” but rather where foreign counterparts have leverage over something the US government values, whether defense contracts, tech infrastructure or energy logistics. And while DOJ enforcement may be more selective, foreign regulators, particularly the UK’s Serious Fraud Office, are expanding aggressively, creating a compliance landscape where the same facts could be non-material in Washington but career-ending in London. 

The complexity of navigating this multi-jurisdictional anti-corruption landscape is explored in depth in “Bribery Beyond Borders,” Wirz’s new book from CCI Press examining the origins of the FCPA. Meanwhile, whistleblower incentives remain fully intact at both the DOJ and SEC, and statutes of limitations continue running regardless of the administration’s enforcement posture, meaning conduct during this period could still face scrutiny years down the road.

In May, the DOJ’s Criminal Division overhauled its corporate enforcement and voluntary self-disclosure policy (CEP), replacing the previous presumption of declination with what Criminal Division head Matthew Galeotti called a “clear path to declination” for companies that voluntarily self-disclose, fully cooperate, timely remediate and have no aggravating circumstances. The revised CEP also created a “near-miss” category offering substantial benefits — including non-prosecution agreements with terms under three years, no corporate monitor and a 75% reduction off the low end of sentencing guidelines — for companies that self-report in good faith but don’t meet all voluntary self-disclosure requirements.

Despite the promised certainty, questions remain about whether the guaranteed declination will truly move the needle for companies when making self-reporting determinations, since factors like whether misconduct was “reasonably prompt” or previously known to the DOJ remain outside companies’ control, while Deputy Attorney General Todd Blanche, speaking at the ACI’s annual FCPA conference in December, suggested a single, streamlined CEP would be forthcoming.

Meanwhile, the National Security Division demonstrated the policy’s potential benefits with rare declinations that rewarded early self-reporters, though experts caution that even successful disclosures can trigger significant collateral consequences, including substantial penalties and reputational harm.

Broadly, the administration’s aggressive push to dismantle the regulatory state created a paradoxical reality for compliance professionals: Deregulation is generating more work, not less. From the CFPB’s near-elimination to the FCPA pause to suspended CTA enforcement, federal agencies retreated from oversight at unprecedented speed, but as one veteran compliance professional noted, periods of deregulation often create more complexity for compliance departments, not less. Every regulatory change, whether adding or removing requirements, necessitates a systematic response with updated procedures, reconfigured systems, retrained employees and revised documentation. When multiple changes happen simultaneously across federal and state jurisdictions, the compliance workload multiplies, creating a whipsaw effect as institutions that quickly adapted their practices based on anticipated deregulation may need to reverse course if changes don’t materialize as expected.

This situation is compounded by the fact that federal pullback doesn’t mean risk disappears; it just shifts. State enforcers are stepping up to fill regulatory voids, private rights of action remain available, statutes of limitations preserve future liability, and reputational risks persist regardless of enforcement posture.

Smart compliance departments are asking themselves what kind of organization they want to be when the dust settles, recognizing that the regulatory pendulum inevitably swings back. The most successful institutions maintain consistent standards regardless of the regulatory environment, understanding that sound compliance isn’t just about meeting minimum requirements; it’s about sustainable business practices. And with the Supreme Court’s Loper Bright decision eliminating Chevron deference adding another layer of uncertainty to agency authority, compliance teams face the challenge of operating in an environment where even the rules about making rules are in flux.

BACK TO TOP

AI use — and risk — becomes near-universal 

The numbers tell a story of either breathtaking transformation or spectacular folly, depending on whom you ask. Nearly nine in 10 global companies surveyed by McKinsey are using AI for at least one business function, while Microsoft, Alphabet, Amazon and Meta expect to spend a combined $380 billion on AI technologies and infrastructure in 2025 alone. However, a much-touted MIT study dropped a bomb on the hype cycle: 95% of companies investing in internal AI projects are seeing zero return on investment or no measurable impact on profits. 

Amazon’s CEO predicts billions of AI agents across every aspect of the economy, while Shopify’s CEO told his organization that any request for more headcount must now prove the job can’t be done by AI. Meanwhile, criminals are weaponizing the same technology, deploying teams of AI agents working collaboratively to automate attacks with polymorphic malware that constantly changes its code to evade detection and personalized phishing campaigns that mine victims’ data to create devastatingly convincing lures. 

The US and (perhaps) global economy is being propped up by what some fear is an AI bubble. Meanwhile, emerging research is calling into question how equipped the power grid is for the flurry of data center construction needed to keep up with projected AI demand. So, how can corporate integrity professionals keep their firms out of the “trough of disillusionment,” as Gartner has termed our current stage of the hype cycle? How can they build governance frameworks for technology that evolves faster than they can write rules for it? How can they mitigate risk when agentic AI can make decisions and take actions independently? How do they deal with the patchwork of regulatory approaches (and executive orders) at state, federal and international levels?

As the cliché goes, very carefully.

They make sure humans are in the loop — in the right places. They balance prudence and innovation. They ask forward-thinking questions, especially when deploying AI in high-risk settings. And they do something that is perhaps unthinkable for a compliance professional, says Asha Palmer of learning company Skillsoft: they get comfortable with not having all the answers right away.

“When I got into compliance, I kept saying, no one’s sharing their anti-bribery and -corruption policies, and if you wanted to find one on the internet, you would not,” Palmer said. “It was like, ‘you create your own, you create your own; good luck.’ And I think we’re kind of in that era [where people are scared] to share their policies and journeys and governance and infrastructure because they don’t know that they have it right. And that’s what we need to shake a bit of, which is, it’s not a matter of getting it right. None of us know what we’re doing, but we’re all trying to figure it out together.”

While this is a primary concern for the compliance functions, the chief compliance officer isn’t the only one thinking about this. Indeed, boards of directors are increasingly adding AI risk to their oversight agenda. An EY Americas Center for Board Matters analysis found that 48% of boards disclosed that they have oversight of AI risk, triple the 16% that had such a disclosure in 2024. Not only are boards increasingly taking on AI risk oversight, they’re also working to make sure board members themselves are comfortable with the technology underlying large language models, says EY’s Lee Henderson.

Indeed, taking a holistic approach to AI risks is critical, Eileen Duffy Robinet and Matt Braunel of law firm Thompson Coburn told CCI in a written Q&A.

“Ultimately, AI governance succeeds only when each role operates at the right altitude: the board overseeing strategy and enterprise exposure, the [chief compliance officer] building systems and guardrails and investigators applying those controls in the field while feeding back real-world intelligence,” they wrote. “When aligned, these three perspectives form a complete risk lifecycle — strategic, operational and tactical — that allows organizations to adopt AI confidently without losing sight of safety, compliance or accountability.”

A multi-disciplinary approach is necessary, said Brett Tarr, head of privacy and AI governance at GRC software provider OneTrust.

“AI offers powerful opportunities for innovation but also introduces new risks that require tailored oversight,” he said. “Each function approaches AI from a different angle, but all must understand how technology and governance intersect.” 

Education is key, experts said, for everyone in the organization. The EU’s AI Act, for example, requires all staff at covered organizations to be AI literate, which doesn’t just mean developers or IT teams but HR using AI in recruitment, marketing deploying GenAI and contractors using AI systems. 

As AI continues to proliferate across organizations, its omnipresence will have its own unique effect, Henderson said, when it comes to accountability and processes.

“[But because of] the layers of AI involvement and lack of human intervention, you don’t know where they are, where it is anymore,” Henderson said. “You don’t know how much reliance exists throughout the work stream as something is handed to you.”

The implications ripple into unexpected corners, from attorney-client privilege questions when AI joins confidential strategy sessions to the challenge of teaching machines to spot what actually matters in compliance alerts. 

What’s next? More, Palmer says, of just about everything except budget and regulatory oversight.

“[In] small teams, some of who have lost team members, some who aren’t being replaced, some whose organization is like, we’re not going to get in trouble anyway, it will be hard to get more people or budget, and the number of risk areas and the tasks are just increasing.”

In 2026, expect, “More use [of AI], more opportunity and probably more work, too, but in order to do that, you have to lean into AI more,” Palmer said.

Over the next year, we should also expect at least one major breach connected to an AI-driven deepfake or similar fraud, said Brian Nichols, principal in consultancy Baker Tilley’s risk advisory practice, making it critical for corporations to balance the risks and opportunities the technology presents.

“Strong governance, regular red-team testing and employee education around emerging impersonation threats are now table stakes,” Nichols told CCI in a written Q&A. “2026 will test whether enterprises can strike the right balance, leveraging AI for protection without underestimating the ways adversaries will turn the same technology against them.

And always remember, what seems cutting-edge today may soon be outdated, said Robert Botkin, an associate at law firm Parker Poe.

“In 2026, businesses should keep an eye out for world models, which are increasingly viewed as the likely successor or complement to today’s LLM-driven agents,” Botkin told CCI in a written Q&A. “World models allow AI systems to simulate real-world environments — objects, constraints, causal relationships and future states — enabling the system to choose actions based on how conditions are expected to change, not merely on statistical patterns in text. As a result, world model-enhanced agents could move beyond next-word prediction and begin demonstrating grounded reasoning and risk awareness. In practice, they would upgrade today’s AI agents by giving them a more reliable framework for understanding context, consequences and uncertainty.”

BACK TO TOP

The data doesn’t lie: Half of compliance officers have anxiety, for some it could be tied to their org chart

In an industry where “no permission to fail” isn’t just a mindset but a survival strategy, nearly half of compliance officers experienced anxiety in the past year, and a sobering majority say their jobs played a “large” or “extremely large” role in fueling those mental health challenges. CCI’s 2025 survey of more than 300 compliance professionals confirmed what many in the field have long whispered privately but rarely acknowledged publicly: This is an unusually tough profession that extracts a real psychological toll.

Nothing could tell the story more viscerally than the anonymous essay CCI published by a compliance and ethics leader in the defense industry who wrote that their reporting relationship to legal “isn’t merely ineffective; it is inherently combative,” describing how their perspective is “curtly and summarily overridden” by the chief legal officer. Housed within a legal department where they’re outnumbered roughly seven to one, this practitioner captured the isolation and impossibility of the role: “Exactly to whom can we say, ‘this isn’t working’ or ‘I can’t do this’ or ‘the compliance program that I run is hovering on the edge of malpractice’ without risking the end of our careers?” 

CCI’s survey data backed up this lived experience: Compliance officers reporting to legal departments showed the highest dissatisfaction rates, with 27% rating that structure as ineffective, more than double the rate for any other reporting arrangement. Meanwhile, 60% of those in ineffective structures overall experienced high job-related stress compared to just 31% in effective structures. Those reporting directly to CEOs or boards rated their structures as most effective. 

As law professor Joseph Burke argued, this isn’t an organizational quibble; it’s a fundamental recognition that compliance and legal functions have different mandates that create paralyzing conflicts when one reports to the other.

And the high stakes breed what experts identify as a particularly compliance career-prone personality type: high conscientiousness combined with perfectionism. 

“The personality type that’s attracted to it [has a] high level of conscientiousness, high level of perfectionism,” explained burnout expert Jennifer Moss. “[Compliance officers] really feel pressured to always have to be perfect, and perfectionism is one of the personality traits that are very prone to burnout.” 

The pressure to be the final authority on complex ethical and regulatory matters intensifies feelings of self-doubt, as BarkerGilmore’s Brittney McDonough explored in examining imposter syndrome among compliance leaders.

Yet the profession showed some encouraging signs of evolution. Burnout, while still common at 51%, was down from 59% in 2022. Compliance officers increasingly feel respected by colleagues (76%, up from 68%) and trust in organizational leadership rose to 51% from 45%. The percentage feeling effective in their roles jumped dramatically from 57% to 73%. These improvements suggest that organizations are beginning to value compliance differently, though significant challenges remain around workload, resources and the fundamental question of where compliance should sit in the organization.

The recognition that compliance work can lead to serious burnout hit especially close to home when CCI’s own editorial director, Jennifer L. Gaskin, wrote about her personal flood — both literal and metaphorical — describing how she focused only on work while experiencing a natural disaster.

BACK TO TOP

FinCEN says CTA rules no longer apply to Americans or US-founded companies

After a convulsive path marked by multiple contradictory court rulings, the Treasury Department in March announced it would no longer require US-based companies or American citizens to comply with beneficial ownership reporting rules under the Corporate Transparency Act (CTA), narrowing the law’s scope to foreign companies registered to do business in the US. Treasury Secretary Scott Bessent called the move “a victory for common sense” and part of Trump’s agenda to reduce burdensome regulations on small businesses. The dramatic reversal came barely two weeks after courts had reinstated the CTA reporting mandate, leaving compliance professionals and business owners whipsawed by the law’s tumultuous implementation since it took effect in January 2024.

The policy shift limits CTA application to about 11,000 foreign entities, fewer than 1% of the 33 million companies FinCEN originally estimated would need to report. Critics warn the rollback undermines the law’s core anti-money laundering purpose, as foreign owners typically form US domestic entities to transact rather than registering foreign entities directly. 

“In the global AML world, the US system’s lack of corporate transparency is regarded as a highly attractive feature for money laundering and sanctions evasion,” attorney Jamie Schafer of Perkins Coie wrote in March, cautioning that the amended rule would have “very little practical impact on combatting access to US markets by money launderers, sanctioned individuals and countries and corrupt government officials.”

While a resurrection of the CTA’s broad application on the federal level seems impossible, a similar law is set to take effect in New York state in 2026, though a bill to amend the state law to “contemplate the changes in CTA reporting and enforcement at the federal level”  — New York LLC Transparency Act (NYLLCTA) — has yet to be signed by Gov. Kathy Hochul, Bass, Berry & Sims attorney Chris Climo told CCI.

Despite the uncertainty, Crystal Trout, financial crimes compliance practice leader at consultancy Baker Tilly, recommends corporate compliance professionals do things like mapping beneficial ownership, training staff and conducting risk assessments to ensure their organizations are prepared for whatever is next.

BACK TO TOP

Trump admin attacks, seeks to criminalize corporate DEI 

Corporate DEI programs, which emerged over the past decade as a key pillar of ESG’s social component alongside human rights and labor practices, faced an existential threat in 2025 as the Trump Administration moved to characterize diversity initiatives as illegal discrimination. 

Within days of taking office in January, Trump signed executive orders targeting DEI across the federal government and private sector, with Attorney General Pam Bondi on her first day directing the DOJ’s Civil Rights Division to “investigate, eliminate and penalize illegal DEI” in private companies, including through potential criminal investigations. The orders rescinded Executive Order 11246, which since 1965 had required federal contractors to develop affirmative action programs, and directed federal agencies to identify up to nine potential enforcement targets among large corporations, nonprofits and educational institutions.

In July, the DOJ released guidance clarifying when DEI initiatives become discrimination under federal law, targeting practices like race-specific scholarships and hiring programs while creating False Claims Act exposure for contractors who certify compliance with anti-discrimination laws. The unprecedented threat of criminal prosecution — though no statute clearly supports such charges — sent shockwaves through corporate America, with major companies including Amazon, Meta, Walmart and Ford either scaling back or eliminating DEI programs. Corporate leaders now face a dilemma: maintaining diversity commitments risks DOJ investigation, while abandoning them could trigger discrimination lawsuits claiming the rollback created hostile work environments.

In February, a coalition of 16 Democratic state attorneys general issued counter-guidance affirming that lawful, narrowly tailored DEI programs remain permissible and help reduce litigation risk, while multiple lawsuits have challenged the executive orders as unconstitutionally vague. The clash underscores what one expert described as ESG’s hardest lesson: the social pillar — encompassing DEI, human rights and community programs — still lacks the standardized measurement frameworks that have helped legitimize environmental reporting, leaving companies vulnerable when political winds shift.

BACK TO TOP

EU softens some climate reporting requirements, California pushes forward with its rules

The European Parliament in November voted to dramatically scale back the EU’s landmark Corporate Sustainability Reporting Directive (CSRD), raising thresholds that would remove an estimated 80% to 90% of companies originally slated for coverage. The vote — with far-right parties joining center-right lawmakers over progressive opposition — raised the employee threshold to 1,750 and revenue threshold to €450 million, eliminated the requirement for companies to prepare climate transition plans and significantly raised thresholds for the Corporate Sustainability Due Diligence Directive (CSDDD) to cover only the largest companies with 5,000 employees and €1.5 billion in revenues. Critics have warned the pullback risks gutting Europe’s wider sustainability agenda, with negotiations continuing with the aim of finalizing the legislation by year’s end.

Meanwhile, California continues pressing forward with its climate accountability requirements despite its own enforcement flexibility. The California Air Resources Board announced in December 2024 that while 2026 reporting deadlines remain unchanged, it would not penalize companies for incomplete first-year reporting if they demonstrate good-faith compliance efforts, a pragmatic adjustment that some see as reasonable and others worry could become a loophole slowing transparency. The grace period comes as the SEC effectively abandoned its climate disclosure rule, leaving California’s requirements for companies with over $1 billion in revenue to disclose Scope 1 and 2 emissions as the primary driver of US corporate climate transparency. 

Yet the political landscape has left some companies practicing “greenhushing,” deliberately downplaying sustainability achievements to avoid drawing attention in an environment where ESG has become politically fraught.

BACK TO TOP

DOJ launches new data security program

The DOJ implemented sweeping data security requirements that extended national security controls far beyond traditional defense contractors to any company handling Americans’ sensitive personal data. The data security program (DSP), which went into effect April 8, prohibits or restricts transactions that would allow individuals in countries of concern — China, Russia, Iran, North Korea, Cuba and Venezuela — from accessing bulk sensitive data including genomic information, precise geolocation and personal health or financial information. The program’s reach extends well beyond data brokerage to cover vendor agreements, employment arrangements and investment agreements, with the program even covering anonymized or aggregated data in certain circumstances.

Companies engaging in restricted transactions must now implement CISA-specified security standards and maintain auditable compliance programs, including risk-based procedures for verifying data flows, screening vendors against a “covered persons” list, and maintaining comprehensive records for at least 10 years. 

“The DOJ’s data security program is remarkable in that it’s been hard for our government to implement federal rules regarding data privacy and security that are not industry specific,” Sarah Hutchins, a partner at Parker Poe who leads the law firm’s cybersecurity & data privacy team, told CCI in a written Q&A. “It shows a deliberate shift toward rules that apply across industries, not just where they’ve had limited success up to this point.”

Perhaps most unusually, the program requires companies to report to the DOJ within 14 days of receiving — and rejecting — offers to engage in prohibited data brokerage transactions. With violations carrying civil penalties up to the greater of $368,136 or twice the transaction value and criminal penalties of up to 20 years imprisonment and $1 million fines for willful violations, the big question for 2026 is whether the DOJ will follow through with aggressive enforcement. The National Security Division has historically litigated relatively few civil matters, though expect to see the department make at least a few examples, particularly targeting egregious violations.

Experts believe the DOJ will start to test the enforcement waters soon.

“In 2026, we expect the DOJ to bring a handful of test cases to see whether companies actually built the programs the rule assumes,” Susie Lloyd, an associate at Parker Poe, told CCI in a written Q&A. “Compliance won’t just be about having a policy on paper. It will be about showing your data maps, your vendor diligence and your contract term.”

BACK TO TOP

Trump guts federal workforce, essentially eliminating CFPB

The Trump Administration’s chaotic dismantling of the Consumer Financial Protection Bureau (CFPB) left the agency a shell of its former self and threw financial services compliance teams into uncertainty. After Elon Musk’s DOGE team targeted the agency for elimination, CFPB leadership shuttered headquarters, dropped lawsuits against major financial institutions like Bank of America, JPMorgan Chase, Wells Fargo and Capital One and moved to fire about 1,500 of the agency’s 1,700 employees. 

While a federal judge temporarily halted the mass layoffs in April, the administration ultimately proceeded with reductions that left the bureau with around 200 employees — down from peak staffing levels — and dramatically curtailed its enforcement and supervisory functions. The agency’s new mission statement makes clear it will focus resources on mortgages while deprioritizing medical debt, student loans, digital payments and buy-now-pay-later services.

Financial services compliance professionals shouldn’t expect a lighter workload, though, experts told CCI, as state enforcers are stepping into the void with their own consumer protection initiatives. States have explicit authority under a 2022 CFPB interpretive rule to independently enforce federal consumer financial protection laws, and several are already introducing new legislation to fill regulatory gaps — particularly around Buy Now Pay Later services, where the UK has moved forward with comprehensive oversight that could set a global standard. Compliance teams will need to pivot from managing federal requirements to navigating a patchwork of state laws, while also considering private rights of action, statutes of limitations for past conduct and the reputational risks that come with reduced regulatory oversight. As one expert put it: Fewer regulators doesn’t mean fewer risks.

Reductions in the federal workforce could be a boon for some organizations wanting to add expert employees to their roster. They should do so cautiously, Ambika J. Biggs, a partner at law firm Hirschler, told CCI in a written Q&A.

“Hiring former federal workers comes with some compliance risks,” Biggs said. “Former government employees have post-employment restrictions that limit the type of work they can perform. The restrictions can be for one year, two years or permanently, depending on what work they did for the government and what work they will do for their new employers. Contractors need to be aware of these restrictions prior to hiring individuals and will want to make sure their new employees are abiding by their obligations.”

For companies with business before the federal offices and agencies that have experienced the deepest cuts? Expect slower response times, more glitches and more interaction with online portals rather than real people, Supino, who works frequently on regulatory matters, told CCI. But, she said, remember that federal workers are first and foremost human beings.

“The people are doing the best that they can in our experience, and we have had some surprisingly fast results in some areas,” Supino said. “Compliance professionals should remember that this has been an incredibly stressful time for federal workers; patience and thanks are always appreciated by the agents we work with on these matters.”

UK’s SFO clarifies self-reporting guidance and incentives

The UK’s Serious Fraud Office (SFO) made a significant move in April to remove uncertainty around corporate self-reporting, publishing guidance that explicitly promises organizations will be invited to negotiate deferred prosecution agreements (DPAs) rather than face prosecution if they self-report promptly and cooperate fully, unless exceptional circumstances apply. 

Director Nick Ephgrave describes it as a “cast-iron guarantee,” and the guidance comes with concrete service-level commitments: The SFO will respond within 48 business hours, decide whether to open an investigation within six months and conclude DPA negotiations within another six months. The timing was strategic, designed to kickstart enforcement ahead of the September implementation of the Economic Crime and Corporate Transparency Act’s new “failure to prevent fraud” offense, which extends corporate criminal liability well beyond the existing bribery and tax evasion offenses.

But as observers quickly noted, the devil is in the details, and those details remain frustratingly vague. The guidance doesn’t define what constitutes “exceptional circumstances” that would override the DPA guarantee, how long companies have to self-report before they’re deemed to have waited too long or how much investigation is expected before disclosure. Even more problematic, the guidance suggests companies might still qualify for DPAs through “exemplary cooperation” even without self-reporting, potentially reducing the direct incentive to come forward early. The broader challenge for the SFO remains demonstrating that there’s genuine prosecution risk for those that don’t self-report, a difficult task given the agency’s unfortunate track record of failing to secure convictions against individuals whose conduct formed the basis of corporate DPAs. The groundwork has been laid to enhance self-reporting incentives, but more work is needed to prove the stick is as real as the carrot.

BACK TO TOP